The address in the "From:" header is what a email client displays to the user. The "From:" header is used by email clients to display any email address (including a portion with a name and punctuation signs) the sender wants, it's not necessarily the real address were email bounces or replies are sent to. SpamFilter thus ignores any addresses specified in the "From" headers.

The true email address that the email is sent from (at least as indicated by the remote SMTP server) is the one in the MAIL FROM command. It will appear in the email headers in the "Return-Path:" header. SpamFilter will also log it in the "X-SF-RX-Return-Path" header.

This said, the blacklists will work on thetrue email address (the one in the Return-Path header), not in the often fakes "From:" header. It's thus not possible to use the emails blacklist to stop emails based not he email address in the "From" header.

While by default SpamFilter does not scan for keywords in the email's headers, this behavior can be changed with this option in the SpamFilter.ini file:

;if ScanAllHeaders is set to 1 SpamFilter will add all email's headers to the text examined for keywords and statistical Bayesian searches.

ScanAllHeaders=1

With that option enabled, you could construct a keyword that will look for any lines that begin with "From:" and have the undesired portions of the email address you wish to block. It's usually better to use a RegEx (Regular Expression) to construct this keyword entry for more flexibility.

For example this RegEx:

((?i)^from:.*\w.+:)

will search for, case-insensitively, for any line in the email that begins with the word "From:" followed by one or more words, followed by a colon ":" character. It would block the "From:" sample you provided above.

I've never been able to figure out how to engage multiline to be able to use ^ in an expression. I don't think the example you give above would work. Using the regex test window in spamfilter even something as simple as this would not work:

^from or this (^from)

I use Rad Software Regular Expression Designer for testing my regex. I leave the singleline option enabled in that software as I find that matches what spamfilter's regex does - meaning the ^ would only match at the very start of the string - not each line.

Is there any recent user guide available? I installed my spamfilter way back and just apply the updates so I don't have any recent manual. I would like to go over the regex section again and see what modifiers are available.... maybe I am missing something to make multiline work so I could use ^

--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.

Ouch, you're right, there is a bug with the comma. If you only have a single RegEx expression for a keyword, for example you have this entry:

(555{3,6})

then the comma within the RegEx is interpreted correctly - there are no issues. If however you have a combined keyword, where the first part is a regular non-RegEx keyword, followed by a RegEx expression, then I did duplicate the bug you mention - the comma within the RegEx is interpreted as a separator. So to make this clear, if this combined keyword is used:

test,(555{3,6})

then SpamFilter will interpret this as 3 different keywords:

test

555{3

6}

going back to your original question about multiline searches, this is for example one of the keyword we ourselves are using to catch spam that contains nothing but the email I include below:

(\s*[\n\r]*<div>[\n\r]*<a href.*</a>[\n\r]*</div>[\n\r]*\s*\Z)

with:

\s* - zero or more spaces

[\n\r]* followed by zero or more CR or LF characters

<div>[\n\r]* - followed by the <div> tag with zero or more CR LF characters after it

<a href.*</a>[\n\r]* - then followed by an <a> <\a> tag followed by zero or more CR LF characters after it

Uhm, are you sure that what you indicated is the line that triggers it? As you said, the "^" indicates the start of a line, and I think your RegEx would have stopped an entry like this as well (I bolded the part that would match):

The RegEx engine in SpamFilter matches the "^" by default only at the very start of the string (the body of the email). If you want to search anywhere in the text you should use the "m" modifier to treat the text as multiline. From our RegEx documentation:

m

Treat string as multiple lines. That is, change "^'' and "$'' from matching at only the very start or end of the string to the start or end of any line anywhere within the string, see also Line separators.

So you would need to use your second expression to search:

((?im)^from:.*<.*\.click>)

Are you certain of the remaining portion of the RegEx? For example, your keyword above would stop emails with the following text appearing at the beginning of any line in the body:

from:test<test.com .click>

It would not match either of these two lines however:

mail from:test<test.com .click>

or

from:test<test.com click>

The "\." indicates an escaped period, so "\.click" in RegEx means a match to ".click". Is this the expression you were looking for?

It is possible that there really has not been a hit yet, the keyword scanning is quite far down on the list. Maybe I will add a few more using the ^ technique as I have never used it before successfully and see if something triggers it.

--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.

FYI I sent you a few test emails containing that "from" header (Subject: test RegEx) to your yapadu email address, and you're right, they are not being stopped. I sent the same email to our own mail server, and it was successfully stopped by your keyword.

However, I do think we have some option enabled where if we 'accept' the message but the destination is quarantine then we do not send back a rejection notice... I think, that was some option in the .ini file but I have no idea what it was.

When we report the message as rejected, the number of calls/email messages we get for support just go through the roof.

--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.

I have been surprised how little they have picked up (your two tests and a couple others). The 'others' it picked up were not what I wanted. It triggered on an email with a from: in the headers and an email ending with .rocks much further down (it was a bounce message).

I want the from to be at the start of the line (which I get with the m option) but I do not want the scanning to span more than one line, so the entire match must be on the single line to prevent false positives. Playing around I found I need to disable the singleline option as well. So I currently have:

(?im-s)^from:.*<.*\.rocks>(?im-s)^from:.*<.*\.click>

I'm going to run those and see if I capture what I expect.

--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.

It is designed to find a sender address in the from header that ends with .rocks - that works.

We then try taking it a step further, say to any recipient at a .com address so we came up with this.

((?im-s)^from:.*<.*\.rocks>),((?im-s)^to:.*<?.*\.com>?)

Individually these two regex would trigger, but we have not been able to see the combo of using both trigger. Is the problem related to the bug regarding to the , or should we be able to do multiple regex separated with a comma?

--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.

I'm at bit of a loss here. One part of the question is explainable. When SpamFilter see a "(" as the first character in a line containing keywords, it expects *everything* on that line to be a RegEx. So the comma "," you used trying to specify two separate RegEx expressions on the same line will not work as you intended. It won't tell SpamFilter to separate the two RegEx expressions, rather it is interpreted as part of the RegEx.

So you would need to use a single RegEx expression to perform your search. Assuming the "From" header is specified before the "To" header in an email, the RegEx to use would thus be:

((?ims)^from:.*<.*\.rocks>.*^to:.*<?.*\.com>)

and to cover the cases where the "From" header is specified after the "To" header, you would need to invert them:

((?ims)^to:.*<?.*\.coz>.*^from:.*<.*\.rockz>)

The problem I have is that neither of those two keywords are working correctly. In my RegEx tests the first keyword above should stopped an email with these headers:

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot delete your posts in this forumYou cannot edit your posts in this forumYou cannot create polls in this forumYou cannot vote in polls in this forum